.NET and Visual Studio Remote Code Execution Vulnerability
The vulnerability is classified as CWE-843 (Type Confusion), which means an error consisting of incorrect interpretation of a data type by the .NET runtime environment. An attacker can provide specially crafted input data that causes incorrect processing of object types, leading to unintended code execution. The attack vector is network-based, requires no authentication or user interaction, which significantly increases its potential reach.
Successful exploitation of the vulnerability gives the attacker full control over the system — it is possible to obtain sensitive data, modify resources, and completely compromise system availability (full CIA triad: confidentiality, integrity, availability).
Microsoft patches released as part of the November 2024 update (Patch Tuesday, 12.11.2024) should be applied immediately. Detailed information about available patch versions can be found in the Microsoft Security Response Center guide at: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43498
Microsoft .NET and Microsoft Visual Studio 2022 running on Microsoft Windows, Apple macOS, and Linux systems. Specific versions are indicated in the manufacturer's references (MSRC).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApple macOS
OSApplewszystkie wersjeLinux Kernel
OSLinuxwszystkie wersjeMicrosoft .net
APPMicrosoft9.0.0Microsoft Visual Studio 2022
APPMicrosoft17.10.0 – 17.10.9 (bez)17.11.0 – 17.11.6 (bez)17.6 – 17.6.21 (bez)17.8 – 17.8.16 (bez)Microsoft Windows
OSMicrosoftwszystkie wersje
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach